Skip to main content
Top Button
Data Breach Reporting Down Under – Australia’s New Data Breach Notification Law Takes Effect Data Breach Reporting Down Under – Australia’s New Data Breach Notification Law Takes Effect

Data Breach Reporting Down Under – Australia’s New Data Breach Notification Law Takes Effect

On Feb. 22, 2018, the Australian Privacy Amendment Act took full effect, requiring Australian entities to disclose certain data breaches (“Notifiable Data Breaches” or “NDB”) to the Office of the Australian Information Commissioner (“OAIC”) and affected individuals. The Act amended Part IIIC of the Privacy Act 1988, which was established to regulate the handling of personal information about individuals.[1] This law is long overdue considering that in the United States, most states have had similar laws on the books since 2002.[2]

What does the new law do?

The NDB scheme creates a mandatory obligation to “notify individuals whose personal information is involved in a data breach that is likely to result in serious harm.”[3] The NDB scheme applies to all agencies and organizations covered by the Privacy Act 1988.[4] “Covered entities” include entities such as Australian government agencies, businesses and not-for-profit organizations with annual revenues of AU$3 million or more, health service providers, and many others.[5] Since the NDB scheme took effect on Feb. 22, 2018, it is only applicable to eligible data breaches that occur on or after that date.[6]

What constitutes an “eligible data breach”?

Because not all data breaches are eligible for disclosure, it is important to know what constitutes an “eligible data breach” requiring reporting. An “eligible data breach” has three key elements:
  1. Unauthorized access to or unauthorized disclosure of personal information;
  2. The data breach is likely to result in “serious harm” to one or more individuals;
  3. The covered entity has not been able to prevent the likely risk of serious harm through remedial action.[7]
Under the first element, “unauthorized access” results from someone accessing information without permission while an “unauthorized disclosure” occurs when an entity—whether intentionally or unintentionally—makes personal information accessible publicly.[8] Next, in assessing whether a breach may result in “serious harm” under element two, a number of factors can be considered. Those factors include: whether the data includes “sensitive information;” the circumstances of the breach (i.e., how many people were affected and whether the data was encrypted; and the nature of the harm (i.e., how the information could harm individuals).[9]

Finally, under element three, if the entity has been unsuccessful in taking remedial actions to minimize the risk of serious harm to individuals, then disclosure is necessary. This final element is interesting, because it serves almost as an exception to the rule. What I mean is the NDB scheme “provides entities with the opportunity to take positive steps” to address a data breach in order to avoid disclosure of the breach.[10] However, this remedial action must ensure that the data breach is not likely to result in “serious harm.”[11]

What do I need to do to comply? What are the consequences for non-compliance?

When a covered entity becomes aware or has reasonable grounds to believe an eligible data breach has occurred, the covered entity is required to notify (1) the OAIC of the breach and (2) individuals likely at risk of serious harm.[12] The notification is required to include the following four items:
  1. The covered entity’s identity and contact information;
  2. A description of the eligible data breach;
  3. The kind/s of information compromised;
  4. Steps the covered entity recommends individuals take in response to the breach.[13]
As a result of this new notification regime, when an organization fails to comply with the breach notification requirement, the OAIC may deem such conduct an “interference with the privacy of an individual” affected by an eligible data breach.[14] This may lead to possible enforcement action including the imposition of civil penalties under the Privacy Act 1988. These penalties can result in maximum fines of AU$420,000 for individuals and AU$2.1 million for corporate entities.[15]


Companies that may fall under the NDB scheme should consider updating their respective incident response plans in order to comply with Australia’s new breach notification requirements. Ice Miller has the professionals and experience to help clients assess risk and implement approved frameworks to come into compliance with such regulatory frameworks. To speak to an attorney, please contact Nicholas Merker at or another member of our Data Security and Privacy Team.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
[1] Privacy Law, Office of the Australian Information Commissioner,
[2] Paul Smith, New Mandatory Data Breach Notifications Laws to Drag Australia into Cyber Age, Financial Review (Feb. 23, 2018),
[3] Privacy Law, supra note 1.
[4] Notifiable Data Breaches scheme, Office of the Australian Information Commissioner,
[5] Id.
[6] Id.
[7] Identifying Eligible Data Breaches, Office of the Australian Information Commissioner,
[8] Id.
[9] Id.
[10] Id.
[11] Id.
[12] Notifiable Data Breaches scheme, supra note 4.
[13] Id.
[14] Draft: Guide to OAIC Privacy Regulatory Action — Chapter 9: Data Breach Incidents, Office of the Australian Information Commissioner,
[15] Smith, supra note 2.
View Full Site View Mobile Optimized